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Abstract. We propose a quantum key distribution protocol with quan- 
tum based user authentication. Our protocol is the first one in which 
users can authenticate each other without previously shared secret and 
then securely distribute a key where the key may not be exposed to even 
a trusted third party. The security of our protocol is guaranteed by the 
properties of the entanglement. 



1 Introduction 

Quantum key distribution(QKD) is the most actively researched field in Quan- 
tum Cryptography. Since BB84 protocol[l] was proposed by Bennett and Bras- 
sard in 1984 as a start, many QKD protocols have been proposed [2-4] and 
implemented [5-7]. The great advantage of QKD is to provide the provable secu- 
rity of distributed keys [8-10]. However, it is assumed that the quantum channel 
is directly connected and previously authorized to the designated users in those 
protocols. This assumption is not suitable on the consideration of quantum net- 
works. To authenticate users on the quantum networks, Quantum Authentica- 
tion protocols [11-18] are proposed since Crepeau and L. Salvail first proposed 
a quantum identification protocol in 1995. Some Quantum Authentication pro- 
tocols assume that the users have some authentication information such as en- 
tangled states[ll-13] and authentication sequence[14, 15]. As mentioned above, 
these protocols can not be operated on the quantum networks. Other quantum 
authentication protocols[16-18] introduced a trusted third party. Quantum au- 
thentication protocols proposed by Zeng and Zhang[16] in 2000 and Mihara[17] 
in 2002 are only for authentication. Alice and Bob can authenticate each other 
and distribute key without previously shared information only in one protocol 
proposed by Ljunggren and et al.[18]. The major disadvantage of this protocol 
is the leakage of the key to the trusted third party. 

In this paper, we propose a Quantum Key Distribution protocol with authen- 
tication. The proper users, Alice and Bob can authenticate each other without 
previously shared secret and share a secret key without leakage of information 
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to anyone. We organize this paper as follows. First, we propose a new QKD pro- 
tocol with user authentication in chapter 2. Our QKD protocol is composed of 
two parts: one is authentication and the other key is distribution. Grcenberger - 
Home - Zollinger (GHZ) states[19] are used to authenticate users and distribute 
a secret key. The security analysis of our protocol is discussed in chapter 3 and 
at last our conclusion is presented in chapter 4. 

2 Quantum Authentication and Quantum Key 
Distribution protocol 

2.1 Authentication 

We assume that Alice and Bob do not share any prior secret information or 
entanglement states for authentication. To identify each other in the communi- 
cation, they are supposed to introduce a trusted third party, Trent. Trent plays 
a role like a CA(certificate authority) in PKI(Public Key Infrastructure) [20, 21]. 
If there are n users in quantum networks, then "C"" 1 ) keys are needed to com- 
municate freely when there is no Trent. Besides, each user must distribute n—1 
secret keys with other users. However, only n keys are needed when Trent exists 
and each user just needs to distribute one secret key with Trent. Trent may be a 
loophole for security. However it can be overcome using similar methods applied 
to CA. 

We assume that Alice has registered her secret identity ID a and a one-way 
hash function Ka '■ {0, 1}* x {0, 1}' — ^ {0, l} m , where * means an arbitrary length, 
I is the length of a counter, and m is a constant. Bob has also registered his 
secret identity IDs and a one-way hash function hs to Trent. This information 
is assumed to be kept secret between the user and Trent. Authentication key 
can, then, be generated by a hashed value h user (ID user , c user ) where c user is a 
counter which is the number of the calls of the one way hash function h user . 

If Alice wants to distribute a key with Bob, she notifies this fact to Bob 
and Trent. On receiving the request, Trent generates N GHZ tripartite states 
1^) = I V^i ) I ^2 ) - - - 1 V'iv ) - For simplicity the following GHZ state \ipi) is supposed 
to be prepared. 

|Vi> = -U|° 0( Wb + |1H)atb) 
v2 

where the subscripts A, T and B correspond to Alice, Trent, and Bob, respec- 
tively. In this paper, we represent the z basis as {|0), |1)} and the x basis as 
{|+>, |-)}, where |+) = ^(|0) + |1» and R = ^ (|0) - |1». 

Next, Trent encodes Alice's and Bob's particles of GHZ states with their 
authentication keys, }ia(IDa,ca) and HbIIDb, cb), respectively. For example, 
if the ith value of Ha^IDatCa) is 0, then Trent makes an identity operation I 
to Alice's particle of the zth GHZ state. If it is 1, Hadamard operation H is 
applied. If the authentication key does not have enough length to cover all GHZ 
particles, new authentication keys can be created by increasing the counter until 
the authentication keys shield all GHZ particles. After making operations on 
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the GHZ particles, Trent distributes the states to Alice and Bob and keeps the 
remaining for him. 
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Fig. 1. Procedures of Authentication 0. Alice and Bob register their secret identi- 
ties and hash functions to Trent. 1. Trent generates GHZ states \ip) — -^j (| 000) atb + 
111)ats). 2. Trent makes unitary operations on \ip) with Alice's and Bob's authen- 
tication key. 3. Trent distributes GHZ particles to Alice and Bob. 4. Alice and Bob 
make reverse unitary operations on their qubits with their authentication key, respec- 
tively. 5. Alice and Bob choose the position of a subset of GHZ states and make a local 
measurement in the z basis on them and compare the results. 



On receiving the qubits, Alice and Bob make reverse unitary operations on 
their qubits with their authentication key Iia(IDa, c a ) and /is (IDs, c B ), re- 
spectively. This authentication procedure can be written in the following form 
of sequences of local unitary operation, the initial state: 

|Vi>i = -^={\000)atb + \Hl) atb) 
v2 

state after Trent's transformation 

|^>2 = {[l-h A {ID A ,c A )]I+[h A (ID A ,c A )]H} A 

® {[1 - h B (ID B ,c B )}I + [h B {ID B ,c B )]H} B \4, t ) 1 
and finally the state after Alice's and Bob's local operations 

1^)3 - {[l-h A (ID A ,c A )]I+[h A (ID A c A )}H} A 

® {[1 - h B (ID B ,c B )]I+ [h B {ID B ,c B )]H} B \^) 2 
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where \ipi) is the state of the i-th GHZ particle and the subscript 1, 2, and 3 
represents the three steps of authentication. 

Next, Alice and Bob select some of the decoded qubits, make von-Neumann 
measurements on them, and compare the results through the public channel. If 
the error rate is higher than expected, then Alice and Bob abort the protocol. 
Otherwise they can confirm that the other party is legitimate and the channel 
is secure. They then execute the following key distribution procedures. 

2.2 Key Distribution 

Alice and Bob randomly make an operation either identity operation I or Hadamard 
operation H on the remaining GHZ particles. They keep the record of the oper- 
ations which they made. For example, represents I and 1 indicates H. After 
making unitary operations, Bob sends his encrypted GHZ particles to Alice. On 
receiving the qubits, Alice makes Bell measurements on pairs of particles con- 
sisting of her qubit and Bob's qubit. On the other hand, Trent measures his 
third qubit in the x basis and reveals the measurement outcomes. In this paper 
we use the following notations of Bell states. 

!<*>+) 

l*-> 
W + ) 
\$~) 

Alice can infer Bob's unitary operations and sometimes discover the existence 
of Eve using the table [1]. For example, if Trent discloses |+), Alice chooses I 
operation and her Bell measurement result is |<?~), then Alice can infer that Bob 
made a H operation and he sent 1. On the other hand, if Trent makes public 
|+), Alice makes I operation and obtains \&~), then Alice can detect an error. 

Table 1. Operations on reversed GHZ states(i.e. \tp)) and published information 



Operation 


Transformation of GHZ states 
after Alice's and Bob's operations 


Alice 


Bob 


7(0) 


7(0) 


^{\$ + )AB\+)a + \$-)AB\~)a) 


7(0) 


77(1) 


j(\<P + )AB\-)a + \<P~)AB\+)a + |«P + )ab|+)c + \9~)ab\-)o) 


77(1) 


7(0) 


\{\$ + )AB\-)a + |*->Afl|+>« + \V + ) AB \+)a - \ 9~ ) AB \ - ) „ ) 


77(1) 


77(1) 


^(\<P + )ab\+)« + \V + )abH«) 



= 7=2 {m + 


llin 


= T2 m) - 


in)} 


= T2 m) + 


|io» 


= Ta- 


|io» 
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Fig. 2. Procedures of Key distribution 1. Alice and Bob make identity opera- 
tions I (0) or Hadamard operations H (1) randomly on the remaining GHZ particles 
after authentication. 2. Bob sends his encoded particles to Alice. 3. Alice makes Bell 
measurements on pairs of particles consisting of her qubit and Bob's qubit. 4. The 
arbitrator measures his qubits in the x basis and publishes the results. 5. Alice infers 
Bob's operation using the table [1]. 6. Alice and Bob select check bits and compare 
them. 



Alice and Bob compare some bits of their shared key (Bob's operation se- 
quence). If the error rate is higher than the acceptable level, they throw away 
the shared sequence and restart the protocol. Otherwise they use the remaining 
sequences as a secret key. Usual error correction can be implemented to correct 
the remaining errors. Alice and Bob can reduce the Eve's knowledge of a shared 
key by standard privacy amplification[22, 23]. 

3 Security Analysis 

In the assumption, user identity and a hash function are enrolled to Trent and the 
information is kept secret only between the owners and the arbitrator. Moreover 
Trent is supposed to be a honest person whom Alice and Bob can trust. 

We first analyze the process of authentication. Suppose Eve intercepts the 
qubits heading to Alice or Bob and disguises her or him. Let Eve use the following 
unitary operation Uae on Alice's and her qubit |e). 



where |a| 2 + \f3\ 2 = 1, |a'| 2 + |/3'| 2 = 1 and a/3* + a'*f3' = 0. If a bit of Alice's 
authentication key is (1), the total states |£o) ( or |£i)) of system and Eve's 



U AE \0e) AE = a\0) A \e O o)E + P\l)A\eoi) E 



UaeMae = p'\0) A \e w ) E + a'\l) A \eu)E 
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probe after Alice's and Bob's reverse operation is as follows. 

|£o> = U AE { -^=(|000> ATB + \m) ATB )}\e} E 

= 4={a|000) ATB |e 00 ) B + l3\100) ATB \eoi)E 
v2 

+ (3' \011) at B\e w ) E + a' at B\eu) E } 
|&) = H a U ae {H a ^=(\000)atb + |lll>ATB)}|e)B 

{|000) A TB(a|eoo)B + P\e 01 ) E + P'\e 10 ) E + a'\e n ) E ) 



2V2 

+ |001) ATB(a\e 00 )E - /3\e i) E + P'\e w ) E - a'\e n ) E ) 
+ |110)ATs(a|e O o)£; + (3\e i) E - P'\e w ) E - a'\eu) E ) 
+ |lll) j4 Ts(a|e o)£; - f3\e 01 ) E - (3'\e w ) E + a'\eu) E )} 

Eve can be detected with probability 1+ ^ 4 + ^ (when the probability of and 
1 in an authentication key is same) in the authentication phase. If the number 
of the check bits in the authentication process is c, then Alice and Bob can find 
out the existence of Eve with probability of 1 — ( 1+a 4 + " ) c - Eve is, therefore, 
always revealed if c is large enough. Hence if the authentication is passed, then 
Alice and Bob confirm the other party is the designated user. 

Moreover, the original secret identities of users cannot be revealed even if Eve 
estimates some bits of the authentication key i.e. the hashed value. Eve can infer 
only some bits of the authentication key by checking bits in the authentication 
process. However Eve cannot reverse the hash function with partial information 
of the hashed value obtained from the checking bits in the authentication process. 
Besides Eve cannot infer the next authentication key since it is used only once 
and changed every time. 

After authentication process, only Bob's qubits are transmitted. Eve will 
make operations on these qubits in key distribution phase. Suppose Eve use the 
above unitary operation Use on Bob's and her qubit \E). Then we can get the 
following states of total system composed by Alice, Bob, Trent and Eve. Equation 
(1) is derived from the situation when Alice and Bob choose /, equation (2) when 
they apply different unitary operations (H and I), and equation (3) is when they 
make H operations. 

(1) ^75 l^+^sll+Maleoo^ + a'\eu) E ) + |-> T (a|e o)E - a'\ eil ) E )} 
+ \&~)AB{\+)T(a\e 0() ) E - a'\e n ) E ) + |-)T(a|eoo)E + a'\en) E )} 
+ W + )AB{\+) T {(3\e i)E + P'\e w ) E ) + |-> T G0|eoi>js - P'\e w } E )} 
+ \*-)ab{\+)tW i) e - P'\e w ) E ) + \-) T (0\e ol ) E + P'\e w ) E )}\ 
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(2) 



|^ + >Aij{|+)T(a|eoo)£; - a'\e lx ) E + P\e Q1 ) E + P'\e w ) E ) 
+ |->T(a|eoo>B + a'\en) E =F (i\e m ) E ± P'\e w ) E )} 
+ \®~)AB{\+)T{u\e m ) E + a'\eu)E ~ 0\e O i) E + 0'\e w ) E ) 
+ |-)r(Q!|eoo>B - a'\en) E ± (i\e m ) E ± /3'|ei >£;)} 
+ |^+) AB {|+)T(a|eoo> J E + a'|en) B + /3|e i) B - /?'|eio)B) 

+ |-)r(To:|eoo)£ ± a'|eii} B + j3\e i) E + f3'\e 10 ) E )} 
+ 1^-) AB{\+)T(-a\e 00 ) e +a'\en) E +/3\e 01 ) E + 0'\e w ) E ) 
+ |-)r(±a|eoo>B ± a'\eu) E + (3\e i) E - P'\e 10 ) E )} 



(3) 5*5 



MB 



{|+) T (a|e o)£ + a'|en>E) + |-> 5 



*\ - - 

+ \$~)AB{\+)T{a\e 00 ) E - a'|en) E ) 
+ W + )A B {\+)TW m ) E + P'\e w ) E ) 

+ W-)AB{\+) T {(i\e m ) E - P'\e w ) E ) 



\eoi) E + (3'\e 10 ) E )} 

-)T(P\eoi)E-p'\e w )E)} 
-)T(a|eoo>B + a'\eu) E )} 

-)T(a|e o>B - a'|eii) E )} 



As shown in the above equations, Eve can be detected with probability i + 

- per check bit in the key distribution phase. Hence Eve can be detected 
with certainly if enough check bits are used in the key distribution. In this regard, 
Alice and Bob can identify and securely distribute a key with certainty using 
our protocol. 



4 Conclusions 

We propose a quantum key distribution protocol with quantum based user au- 
thentication. User authentication is executed without previously shared secret 
and by validating the correlation of GHZ states. A key can be securely distributed 
by using the remaining GHZ states after authentication. By the properties of 
the entanglement of GHZ states, even the trusted third party, Trent can not 
get out the distributed key. We expect our protocol can well be adjusted to be 
incorporated in future quantum networks. 

We acknowledge helpful discussion with Andreas Poppe and Hannes Hubel. 
This work was supported by the Korea Research Foundation Grant funded by 
the Korean Govcrnment(MOEHRD)(KRF-2005-213-D00090). 
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